Thanks, that solved the problem.
Might I suggest a better output when there is such an error? Actually a
pretty simple error that could just have printed a "Permission denied" text
instead of showing me the output I got and the erros in the log as well.
Regards
Berry
Den sön 29 dec. 2024 kl 06:51 skrev Madhan Neethiraj <mad...@apache.org>:
> Hi Berry,
>
>
>
> Adding “-iv” option to curl command shows that Ranger admin server
> responds with HTTP status code 403 – Forbidden.
>
>
>
> - I'm running with the same kerberos principal as the admin server is
> using.
>
> Ranger admin server principal doesn’t automatically have privileges
> necessary to create a user group. The principal will need either admin role
> or user/group permission. I suggest to review the permissions for this
> principal (under Settings/Permissions), grant User/Groups permissions (or
> change role of the user to Admin) and try.
>
>
>
> Thanks,
>
> Madhan
>
>
>
>
>
>
>
>
>
> *From: *Berry Österlund <berry.osterl...@middlecon.se>
> *Reply-To: *"user@ranger.apache.org" <user@ranger.apache.org>
> *Date: *Saturday, December 28, 2024 at 11:21 PM
> *To: *"user@ranger.apache.org" <user@ranger.apache.org>
> *Subject: *Problem with /service/xusers/ugsync/groups REST call
>
>
>
> Hi
>
>
>
> I'm doing a fresh installation of Ranger. Pulled from git at 2024-12-24.
> But I'm running into a problem with the usersync, and I have boiled it down
> to the /service/xusers/ugsync/groups REST call.
>
> This is the data I'm trying to send to that interface.
>
> {
> "vXGroups": [
> {
> "name": "test-group",
> "description": "The Uber-nice test group",
> "groupType": "1",
> "isVisible": "1",
> "groupSource": "1",
> "syncSource": "Unix"
> }
> ]
> }
>
>
>
> curl -H "Content-Type: application/json" -X POST -d @usersync.json
> --negotiate -u : "https://server1.domain:6182/service/xusers/ugsync/groups
> "
>
>
>
> I'm running with the same kerberos principal as the admin server is using.
>
>
>
> And this is the response I get.
>
>
>
> <!--
> Licensed to the Apache Software Foundation (ASF) under one or more
> contributor license agreements. See the NOTICE file distributed with
> this work for additional information regarding copyright ownership.
> The ASF licenses this file to You under the Apache License, Version 2.0
> (the "License"); you may not use this file except in compliance with
> the License. You may obtain a copy of the License at
>
> http://www.apache.org/licenses/LICENSE-2.0
>
> Unless required by applicable law or agreed to in writing, software
> distributed under the License is distributed on an "AS IS" BASIS,
> WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> See the License for the specific language governing permissions and
> limitations under the License.
> -->
> <!DOCTYPE html>
> <!--[if lt IE 7]><html class="no-js lt-ie9 lt-ie8 lt-ie7"><![endif]-->
> <!--[if IE 7]><html class="no-js lt-ie9 lt-ie8"><![endif]-->
> <!--[if IE 8]><html class="no-js lt-ie9"><![endif]-->
> <!--[if gt IE 8]><!-->
> <html class="no-js">
> <!--<![endif]-->
> <head>
> <meta charset="utf-8">
> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
> <title> Ranger - Sign In</title>
> <meta name="description" content="">
> <meta name="viewport" content="width=device-width">
> <link rel="shortcut icon" href="images/favicon.ico">
> <link href="styles/bootstrap.min.css" media="all" rel="stylesheet"
> type="text/css" id="bootstrap-css">
> <link rel="stylesheet" href="styles/font-awesome.min.css">
> <link href="styles/xa.css" media="all" rel="stylesheet"
> type="text/css" >
> <script src="libs/bower/jquery/js/jquery-3.5.1.js" ></script>
> <script src="scripts/prelogin/XAPrelogin.js" ></script>
> <script type="text/javascript">
> $(document).ready(function() {
> var updateBoxPosition = function() {
> $('#signin-container').css({
> 'margin-top' : ($(window).height() -
> $('#signin-container').height()) / 2
> });
> };
> $(window).resize(updateBoxPosition);
> var queryParams = JSON.parse('{"' +
> decodeURI((location.href.split('?')[1] || 'g=0').replace(/=/g, "\":\"")) +
> '"}');
> if(queryParams.sessionTimeout){
> window.alert('Session Timeout');
> location.replace("login.jsp");
> }
> setTimeout(updateBoxPosition, 50);
> });
> </script>
> </head>
> <body class="login" style="">
>
> <!-- Page content
> ================================================== -->
> <section id="signin-container" style="margin-top: 4.5px;">
> <div class="l-logo">
> <img src="images/ranger_logo.png" alt="Ranger logo">
> </div>
> <form action="" method="post" accept-charset="utf-8">
> <fieldset>
> <div class="fields">
> <label><i class="fa fa-user"></i> Username:</label>
> <input type="text" name="username" id="username"
> tabindex="1" autofocus>
> <label><i class="fa fa-lock"></i> Password:</label>
> <div class="position-relative">
> <input type="password" name="password"
> id="password" tabindex="2" autocomplete="off">
> <i class="fa fa-eye-slash password-icon"
> id="show-password"></i>
> </div>
> </div>
> <span id="errorBox" class="help-inline"
> style="color:white;display:none;"><span class="errorMsg"></span>
> <i class="fa fa-exclamation-triangle"
> style="color:#ae2817;"></i>
> </span>
> <span id="errorBoxUnsynced" class="help-inline"
> style="color:white;display:none;">User is not available in Ranger Admin
> Tool. Please contact your Administrator.
> <i class="fa fa-exclamation-triangle"
> style="color:#ae2817;"></i>
> </span>
> <button type="submit" class="btn btn-primary
> btn-block" id="signIn" tabindex="4" >
> Sign In
> <i id="signInLoading" class="fa fa-spin
> fa-spinner" style="display: none;"></i>
> </button>
> </fieldset>
> </form>
> </section>
> </body>
> </html>
>
>
>
>
>
> The only thing logged in Ranger admin logs is the following, in the
> catalina.log file.
>
>
>
> Dec 29, 2024 4:13:07 AM com.sun.jersey.spi.container.ContainerResponse
> mapMappableContainerException
> SEVERE: The RuntimeException could not be mapped to a response,
> re-throwing to the HTTP container
> org.springframework.security.access.AccessDeniedException: Access is denied
>
> + a very long stacktrace that I can send on request as well.
>
>
>
> Can anybody help me to figure out what is going wrong here?
>
>
>
>
>
> Regards Berry
>
>
>
> ____________________________________________
>
> Berry Österlund
>
> Middlecon AB | Saltmätargatan 8A | 113 59 Stockholm
>
> Tfn: +46 0732 314 300
>
> berry.osterl...@middlecon.se
>
